Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bump several dependencies to fix vulnerable packages #303

Merged
merged 1 commit into from
Jan 13, 2025
Merged

Bump several dependencies to fix vulnerable packages #303

merged 1 commit into from
Jan 13, 2025

Conversation

nunnatsa
Copy link
Contributor

What this PR does / why we need it:

Dependency go:golang.org/x/net:v0.25.0 is vulnerable

Upgrade to 0.33.0

GHSA-w32m-9786-jp63, Score: 8.7

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Read More: https://osv.dev/vulnerability/GHSA-w32m-9786-jp63

GO-2024-3333, Score: 8.7

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Read More: https://osv.dev/vulnerability/GO-2024-3333

Release notes:

fix vulnerable packages

@k8s-ci-robot k8s-ci-robot added approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Jan 12, 2025
@coveralls
Copy link

coveralls commented Jan 12, 2025
edited
Loading

Pull Request Test Coverage Report for Build 12731591628

Details

  • 0 of 0 changed or added relevant lines in 0 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage remained the same at 59.245%
Totals Coverage Status
Change from base Build 11667377340: 0.0%
Covered Lines: 1570
Relevant Lines: 2650
💛 - Coveralls

@nunnatsa
Copy link
Contributor Author

/ready-to-test

@nunnatsa
Copy link
Contributor Author

/ok-to-test

@k8s-ci-robot k8s-ci-robot added the ok-to-test Indicates a non-member PR verified by an org member that is safe to test. label Jan 12, 2025
orenc1
orenc1 approved these changes Jan 12, 2025
View reviewed changes
Copy link
Contributor

@orenc1 orenc1 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@k8s-ci-robot
Copy link
Contributor

@orenc1: changing LGTM is restricted to collaborators

In response to this:

/lgtm

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

orenc1
orenc1 reviewed Jan 12, 2025
View reviewed changes
go.mod Outdated
@@ -10,7 +10,7 @@ require (
github.com/pkg/errors v0.9.1
github.com/spf13/cobra v1.8.0
github.com/spf13/pflag v1.0.5
golang.org/x/crypto v0.23.0
golang.org/x/crypto v0.31.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why not v0.32.0 if already available[1]?

[1] https://pkg.go.dev/golang.org/x/crypto

@nunnatsa
Bump several dependencies to fix vulnerable packages
53fe671 
Dependency go:golang.org/x/net:v0.25.0 is vulnerable

Upgrade to 0.34.0

GHSA-w32m-9786-jp63,  Score: 8.7

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Read More: https://osv.dev/vulnerability/GHSA-w32m-9786-jp63

GO-2024-3333,  Score: 8.7

An attacker can craft an input to the Parse functions that would be processed non-linearly with respect to its length, resulting in extremely slow parsing. This could cause a denial of service.

Read More: https://osv.dev/vulnerability/GO-2024-3333

Signed-off-by: Nahshon Unna-Tsameret <nunnatsa@redhat.com>
@qinqon
Copy link
Contributor

qinqon commented Jan 13, 2025

/lgtm
/approve

@k8s-ci-robot k8s-ci-robot added the lgtm "Looks good to me", indicates that a PR is ready to be merged. label Jan 13, 2025
@k8s-ci-robot
Copy link
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: nunnatsa, orenc1, qinqon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@k8s-ci-robot k8s-ci-robot merged commit ed80caa into kubernetes-sigs:main Jan 13, 2025
12 checks passed
@nunnatsa nunnatsa deleted the fix-cve branch January 13, 2025 11:57
@nunnatsa nunnatsa mentioned this pull request Jan 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@orenc1 orenc1 orenc1 approved these changes

@neolit123 neolit123 Awaiting requested review from neolit123

@qinqon qinqon Awaiting requested review from qinqon

Assignees

@qinqon qinqon

Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. cncf-cla: yes Indicates the PR's author has signed the CNCF CLA. lgtm "Looks good to me", indicates that a PR is ready to be merged. ok-to-test Indicates a non-member PR verified by an org member that is safe to test. size/M Denotes a PR that changes 30-99 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@nunnatsa @coveralls @k8s-ci-robot @qinqon @orenc1